GitGuardian’s State State of SECrets’s Mystery for 2025 It reveals an alarming scale of secrets in modern software. Manage this rapid growth of inhuman identity (NHIS) that exceed the number of users over the years. We need to outperform it and prepare safety measures and managing these machine identities as they continue to unfold, creating an unprecedented security risk.
This report shows strange 23.77 million new secrets only on GitHub only in 2024. This is 25% growth compared to the previous year. This sharp enlargement emphasizes how inhuman identity spread (NHIS), such as services, microservice and agents II, quickly expand the surface of the attack for threat subjects.
Crisis of inhuman identity
NHI secrets, including API keys, maintenance accounts and Kubernetes workers, now exceed the human identity by at least 45 to 1 in the Devops. These machine credentials are important for modern infrastructure, but create significant safety problems when wrong.
Most of the resilience of open powers. The GitGuardian analysis showed that 70% of the secrets that were first discovered in state repositories in 2022 remain active today, which indicates systemic failure in trusted rotation and management practice.
Private Shelters: False Safety
Organizations may believe that their code is safe in private repositories, but the data tells about another story. Private storage facilities are about 8 times more likely to contain secrets than public. This suggests that many teams are counting on “security through the unknown” rather than implementing proper secrets management.
The report revealed significant differences in the types of secrets that are traced in private and public repositories:
- Overall secrets make up 74.4% of all leaks in private repositories against 58% in public
- General passwords make up 24% of all common secrets in private repositories compared to only 9% in state repository
- Business credits such as AWS Iam Keys are in 8% private repositories but only 1.5%
This picture suggests that developers are more careful with the public code, but often cut the corners in the environment they believe are protected.
AI tools that worsen the problem
GitHub Copilot and other AI encoding assistants can increase performance but They also increase safety risks. The repositors with the capacity’s inclusion have been found to have a 40% higher level of secret leaks compared to repositors without the help of II.
This disturbing statistics suggest that the development that works on AI, when accelerating the code production, can encourage developers prioritizing security, introducing accounts that can avoid traditional development practices.
Docker Hub: 100,000+ valid secrets are exposed
In an unprecedented analysis of 15 million Docker State images of Docker Hub, GitGuardian discovered more than 100,000 true secrets, including Keys Aws, Keys GCP and GitHub tokens owned by Fortune 500.
The study found that 97% of these true secrets were found exclusively in the layers of images, most of which are less than 15 MB. The ENV instruction itself accounts for 65% of all leaks, emphasizing a significant blind place in containers.
Except for the source code: Secrets in Cooperation Instruments
Secret leaks are not limited to code repositories. The report found that cooperation platforms such as Slack, Jira and Conflunce have become significant vectors for powers.
Anxiously, secrets found on these platforms are usually more critical than those in the source code repository, with 38% of incidents classified as very critical or urgent compared to 31% in the source control systems. This is partly because of these platforms lacking security control, which is present in modern management control instruments.
Anxiously, only 7% of the secrets found in the cooperation instruments are also found in the code base, making this area of secrets to spread a unique problem that most secret scan instruments cannot mitigate. Also, the fact that users of these systems crosses all the boundaries of the department, that is, in these platforms each potentially drowns accounts.
The problem of permits
Further worsening the risk, GitGuardian found that accounting leaks often have excessive permits:
- 99%API GitLab keys had either full access (58%) or only read (41%)
- 96% GITHUB tokens had access to writing, with 95% offered full access to repository
These extensive permits significantly enhance the potential effects of accrual credentials, allowing the attackers to move away and escalate the privileges easier.
Gaping cycle of secrets of spread
While organizations are increasingly making decisions on secret management, the report emphasizes only these tools. HitGurdan found that even the storage facilities using the heads of secrets in 2024 had 5.1% of the disease.
The problem requires A comprehensive approach that solves the entire life cycleCombining automated detection with rapid recovery and integration processes throughout the workflow.
How is our report “Report on the SECRESTS 2025. Distribution Offers a sharp warning: As inhuman identity multiply, the secrets and risks of safety are also making associated secrets. Reactive and fragmented approaches to secrets management is simply insufficient in the world of automated deployment, AI code and quick delivery of applications. “
